WO2016107410A1 - Communication control device, authentication device, central control device, and communication system - Google Patents

Communication control device, authentication device, central control device, and communication system Download PDF

Info

Publication number
WO2016107410A1
WO2016107410A1 PCT/CN2015/097559 CN2015097559W WO2016107410A1 WO 2016107410 A1 WO2016107410 A1 WO 2016107410A1 CN 2015097559 W CN2015097559 W CN 2015097559W WO 2016107410 A1 WO2016107410 A1 WO 2016107410A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
control device
authentication device
attribute
setting information
Prior art date
Application number
PCT/CN2015/097559
Other languages
French (fr)
Chinese (zh)
Inventor
杨宪国
孙卫平
Original Assignee
悠游宝(天津)网络科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 悠游宝(天津)网络科技有限公司 filed Critical 悠游宝(天津)网络科技有限公司
Publication of WO2016107410A1 publication Critical patent/WO2016107410A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/18Selecting a network or a communication service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0055Transmission or use of information for re-establishing the radio link
    • H04W36/0072Transmission or use of information for re-establishing the radio link of resource information of target access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/14Reselecting a network or an air interface

Definitions

  • the present application relates to the field of communications technologies, and in particular, to a communication control device, an authentication device, and a central control device.
  • SIM Subscriber Identity Module
  • a common method for writing number data for a SIM card is a remote write card.
  • the remote write card is used by the operator during the operation.
  • the data is sent to the point of sale (POS) through the remote server.
  • POS point of sale
  • SIM film card card technology refers to adding a layer of bridge film card with bidirectional input and output (IO) processing capability between the SIM card of the mobile phone and the SIM card slot of the mobile phone. Therefore, on the basis of ensuring the normal interaction between the mobile phone and the SIM card, a customized expansion function is realized by having a programmable film card.
  • Common extensions include SIM card user application development tools (SIM TOOL KIT, STK) extensions, over-the-air (OTA) update applications, and more.
  • the prior art mainly attaches the SIM film card to the surface of the SIM card in the form of a film, and combines to realize the STK expansion of the ordinary SIM card, so the SIM film card mainly serves as the auxiliary SIM card.
  • the function is to make the SIM film card card realize the same user identification and network access function as the SIM card and expand the application.
  • the embodiment of the present application provides a communication control device, an authentication device, a central control device, and a communication system.
  • the central control device authenticates the authentication device and issues attribute setting information, and controls the authentication device through the communication control device. So that the authentication device sets its own attributes according to the attribute setting information, so that the mobile terminal can select different carrier networks for communication.
  • a communication control apparatus which controls an authentication apparatus for performing mobile user identity authentication on a mobile terminal, so that the mobile terminal can select a different carrier network.
  • Communication the communication control device has:
  • a first obtaining unit configured to acquire identification information of the authentication device
  • a first authentication unit configured to send the identification information to a server, so that the server performs identity authentication on the authentication device
  • a second obtaining unit configured to acquire a session key from the server, and attribute setting information encrypted by the session key
  • a first sending unit configured to send the session key and the encrypted attribute setting information to the authentication device, so that the authentication device obtains the attribute setting information by decrypting, and according to the attribute Setting information to set an operator attribute of the authentication device, wherein the attribute setting information has at least an International Mobile Subscriber Identification Number (IMSI) and an authentication key (Key identifier, Ki).
  • IMSI International Mobile Subscriber Identification Number
  • Ki Key identifier
  • the communication control device is provided to the mobile terminal.
  • the communication control device further has a switching control unit
  • a handover control unit configured to receive a notification that the authentication device successfully sets the operator attribute, and, if the carrier attribute is two or more, perform carrier attribute according to the received handover instruction Selecting to cause the mobile terminal to switch to communicate with a network corresponding to the selected carrier attribute.
  • the communication control device further has:
  • a deletion control unit configured to control the authentication device to delete the operator attribute according to the received deletion instruction.
  • an authentication apparatus configured to be used by a mobile terminal to perform mobile user identity authentication, so that the mobile terminal communicates in a network, the authentication apparatus having:
  • a third obtaining unit configured to acquire, by the communication control device of the mobile terminal, a session key delivered by the server, and attribute setting information encrypted by the session key;
  • a decryption unit configured to decrypt the attribute setting information encrypted by the session key according to the decryption algorithm and the session key, to obtain the attribute setting information
  • a setting unit configured to set an operator attribute of the authentication device according to the attribute setting information.
  • the authentication apparatus further includes a storage unit that stores the attribute setting information, an encryption algorithm, and the decryption algorithm.
  • the authentication device further includes a notification unit that transmits the notification information after the setting unit successfully sets the operator attribute.
  • the authentication device is a Subscriber Identity Module (SIM) card, a chip that is attached to the customer identification module card, or the customer identification module card.
  • SIM Subscriber Identity Module
  • a device built into the mobile terminal having an equivalent function.
  • a central control device which is disposed at a server, and the central control device has:
  • a first receiving unit which receives identification information of an authentication device for performing mobile user identity authentication provided on the mobile terminal
  • a second authentication unit configured to perform identity authentication on the authentication device according to the identification information and the encryption information, and establish a session key if the authentication is successful;
  • a second sending unit configured to send the session key and the attribute setting information encrypted by the session key to the mobile terminal, so that the authentication device obtains the attribute setting information by decrypting, and according to the Genus
  • the attribute setting information is used to set an operator attribute of the authentication device, wherein the attribute setting information is stored in the server.
  • the central control device further has a management unit for managing the attribute setting information. .
  • the utility model has the beneficial effects that the communication control device can send the encrypted attribute setting information and the session key obtained from the server to the authentication device, and the authentication device can set according to the attribute setting information delivered by the server. Or updating the operator attribute of the authentication device, so that the user can conveniently write the card to the authentication device through the communication control device, thereby improving the flexibility of the user to write the card, and the authentication device has multiple The number resource of the operator enables the user to independently select and use the network service of multiple operators at any time and place.
  • FIG. 1 is a schematic diagram of a composition of a communication control apparatus according to an embodiment of the present application.
  • FIG. 2 is a schematic diagram of a composition of an authentication apparatus according to an embodiment of the present application.
  • FIG. 3 is a schematic diagram of a composition of a central control device according to an embodiment of the present application.
  • FIG. 4 is a flow chart of setting a carrier attribute for an authentication device according to the present embodiment.
  • the communication control device and the central control device may be implemented by software.
  • the communication control device may be an application (Application, APP) used by the mobile terminal, and the central control device may be a program used by the server;
  • APP Application, APP
  • the present embodiment is not limited thereto, and the communication control device and the central control device may be implemented by hardware or may be implemented by hardware and software.
  • the authentication device may be a Subscriber Identity Module (SIM) card, a chip attached to the customer identification module card, such as a SIM film card, or an equivalent function integration with the customer identification module card.
  • SIM Subscriber Identity Module
  • the device to the mobile terminal such as an eSIM card or the like; the functions of the components of the authentication device can be implemented by software running on the authentication device.
  • the software can be an on-chip operating system (Chip Operation System, COS).
  • COS Chip Operation System
  • the present embodiment is not limited thereto, and the functions of the components of the authentication device may also be implemented by hardware, or may be implemented by hardware and software. The specific implementation manner may refer to the prior art.
  • the mobile terminal may be a portable electronic device such as a feature phone, a smartphone or a tablet.
  • the embodiment of the present application provides a communication control apparatus, which controls an authentication apparatus for performing mobile user identity authentication on a mobile terminal, so that the mobile terminal can select different carrier networks for communication.
  • the communication control apparatus 100 may be provided with a first acquisition unit 101, a first authentication unit 102, a second acquisition unit 103, and a first transmission unit. 104.
  • the first obtaining unit 101 is configured to obtain the identification information of the authentication device.
  • the identification information may be an Integrated Circuit Card Identity (ICCID).
  • ICCID Integrated Circuit Card Identity
  • the first authentication unit 102 is configured to send the identification information to the server, so that the server performs identity authentication on the authentication device;
  • the second obtaining unit 103 is configured to acquire a session key from the server, and is encrypted by the session key.
  • the first sending unit 104 is configured to use the session key and the adding
  • the secret attribute setting information is sent to the authentication device, so that the authentication device obtains the attribute setting information by decrypting, and sets the operator attribute of the authentication device according to the attribute setting information.
  • the attribute setting information may be, for example, an International Mobile Subscriber Identification Number (IMSI) and an authentication key (Key identifier, Ki), etc.; however, the implementation is not limited thereto, and the attribute is not limited thereto.
  • the setting information may also be other information as long as the authentication device can be controlled to set its carrier attribute to enable the mobile terminal to communicate with the network corresponding to the carrier attribute.
  • the communication control apparatus can transmit the encrypted attribute setting information and the session key obtained from the server to the authentication apparatus, whereby the authentication apparatus can be under the control of the communication control apparatus
  • the attribute setting information such as IMSI and Ki
  • IMSI and Ki is set to set or update the operator attribute of the authentication device itself
  • the carrier attribute may be, for example, IMSI and Ki, etc., thereby enabling the user to authenticate in a convenient manner.
  • the rights device writes the card, so that if the carrier attribute is selected, the corresponding phone number is used to communicate in the network corresponding to the carrier attribute.
  • the first obtaining unit 101 can obtain the ICCID of the authentication device by using the ICCID query interface of the authentication device. In addition, the first obtaining unit 101 can also obtain the operator of the authentication device. If the attribute is set, for example, the first obtaining unit 101 can obtain information about whether the IMSI of the authentication device is configured through the IMSI configuration information query interface of the authentication device.
  • the server may be requested to send the attribute setting information, if the communication control device acquires the carrier attribute of the authentication device. It has been set up to enable the mobile terminal to communicate using a network corresponding to the carrier attribute.
  • the first authentication unit 102 may, for example, invoke the server interaction interface of the communication control device to send the ICCID of the authentication device to the server, so that the server performs identity authentication on the authentication device according to the ICCID. If the identity authentication succeeds, the server can provide the service to the authentication device. If the identity authentication is unsuccessful, the authentication device is not registered in the server in advance and does not belong to the server. In addition, the first authentication unit 102 can also perform identity authentication on the server to confirm whether the server is a legitimate server, and prevent the mobile terminal from connecting to the pseudo server. In this embodiment, the specific manner in which the server authenticates the authentication device and the communication control device performs identity authentication on the server may be in the prior art, and is not particularly limited in this embodiment.
  • the second obtaining unit 103 may, for example, invoke a server interaction interface of the communication control device to receive a session key from the server and encrypted attribute setting information.
  • the encrypted attribute setting information from the server may be two or more, whereby two or more operator attributes may be set in the authentication device, and the two or more attributes may respectively correspond to different network operators, thereby The mobile terminal can switch between networks provided by a plurality of different network operators.
  • the first sending unit 104 can send a session key and encrypted attribute setting information to the authentication device, for example, through an interface for data interaction with the authentication device, so that the authentication device obtains the decryption by decryption.
  • the attribute setting information, and setting an operator attribute of the authentication device according to the attribute setting information can be sent to the authentication device, for example, through an interface for data interaction with the authentication device, so that the authentication device obtains the decryption by decryption.
  • the attribute setting information, and setting an operator attribute of the authentication device according to the attribute setting information.
  • the communication control apparatus 100 may further have a handover control unit 105 for receiving a notification that the authentication apparatus successfully sets the operator attribute, and in the operation In the case where the quotient attribute is two or more, the operator attribute is selected according to the received switching instruction, so that the mobile terminal switches to communicate with the network corresponding to the selected carrier attribute.
  • the authentication device of the mobile terminal is provided with more than two carrier attributes, or the mobile terminal is provided with more than two authentication devices, and each authentication device is provided with at least one operator attribute
  • the operator corresponding to the two or more operator attributes may be displayed on the user interface (UI) of the mobile terminal, and the user's selection operation on an interface on the interface may be converted into
  • the switching instruction is sent to the switching control unit, and further, the switching control unit sends a control signal to the authentication device, so that the authentication device selects the IMSI and Ki corresponding to the operator selected by the user, so that the mobile terminal Switching to communication in the network corresponding to the selected IMSI and Ki.
  • the specific method for the authentication device to select the corresponding IMSI and Ki to enable the mobile terminal to communicate in the corresponding network may refer to the prior art, and details are not described herein again.
  • the handover control unit 105 can select one of the operator attributes to cause the mobile to switch to communicate with the network corresponding to the selected carrier attribute.
  • the communication control apparatus 100 may further have a deletion control unit 106 for controlling the authentication apparatus to delete the operator attribute.
  • the deletion control unit 106 may pass The interface for performing data interaction with the authentication device sends a control command for deleting the operator attribute to the authentication device, so that the authentication device deletes the corresponding operator attribute according to the control instruction.
  • the communication control device can connect to the Internet via a wireless local area network or the like via a network connection module of the mobile terminal, thereby performing data interaction with the server, thereby being able to learn from the case where the operator's mobile network cannot be covered.
  • the device sets the carrier attribute.
  • the communication control apparatus 100 may further have an online banking payment unit (not shown).
  • the online banking payment unit is used to provide the online banking payment function.
  • the online banking payment unit reference may be made to the prior art, which is not described in this embodiment.
  • the communication control device 100 can be disposed on the mobile terminal to control the authentication device of the mobile terminal.
  • the embodiment is not limited thereto, and the communication device 100 can also be disposed on other mobile terminals or electronic devices to control the authentication device on the mobile terminal by remote control.
  • the communication control apparatus can transmit the encrypted attribute setting information and the session key obtained from the server to the authentication apparatus, whereby the authentication apparatus can be based on the control apparatus under the control of the communication control apparatus Attribute setting information delivered by the server, such as information such as IMSI and Ki, to set or update the operator attributes of the authentication device itself, such as IMSI and Ki, etc.; and, by setting the switching control unit, the mobile terminal can be made different Switching between networks without replacing the authentication device, whereby the user can conveniently switch the carrier network used by the mobile terminal; and the communication control device can connect to the Internet through a wireless local area network or the like, and perform data with the server.
  • the interaction is to set the operator attribute for the authentication device, whereby the card can be written without relying on the coverage of the mobile network.
  • the embodiment of the present application provides an authentication device, which is disposed in a mobile terminal, is configured to perform mobile user identity authentication, so that the mobile terminal communicates in a network, and the authentication device is described in Embodiment 1. Controlled by the communication control device.
  • FIG. 2 is a schematic diagram of a composition of the authentication apparatus of the embodiment.
  • the authentication apparatus may have a third obtaining unit 201, a decrypting unit 202, and a setting unit 203.
  • the third obtaining unit 201 is configured to acquire, by the communication control device of the mobile terminal, a session key sent by the server, and attribute setting information encrypted by the session key; and the decrypting unit 202 is configured to use the decryption algorithm. And decrypting the session key to obtain the attribute setting information; the setting unit 203 is configured to set an operator attribute of the authentication device according to the attribute setting information.
  • the third obtaining unit 201 can obtain the session key sent by the server from the communication control device 100 and encrypt the session key through the interface of the data communication with the communication control device 100 of the embodiment 1. Property setting information.
  • the decryption unit 202 may decrypt the attribute setting information encrypted by the session key according to the decryption algorithm and the session key to obtain the attribute setting information.
  • the decryption The algorithm may be, for example, an SM4 data decryption algorithm and/or a SM3-HMAC (Hash-based Message Authentication Code) algorithm, and the decryption unit 202 may be, for example, by calling an SM4 data encryption/decryption interface and/or an SM3-HMAC algorithm interface.
  • the decryption operation is performed to obtain the attribute setting information, such as IMSI and KI.
  • the embodiment is not limited thereto, and other decryption algorithms may be used for decryption.
  • the setting unit 203 may set the operator attribute of the authentication device according to the attribute setting information.
  • the setting unit 203 may invoke the IMSI configuration interface and the Ki configuration interface, and obtain the server according to the decryption.
  • the IMSI and Ki are sent to set the IMSI and Ki of the authentication device itself, wherein the IMSI can distinguish and identify the user of the mobile network, and Ki is the key for encrypting data transmission between the authentication device and the operator, and
  • the mobile terminal can communicate in a network provided by a network operator corresponding to the ISMI and Ki.
  • the authentication apparatus may further have a notification unit 204, after the setting unit 203 successfully sets the operator attribute, send notification information to the communication control apparatus of Embodiment 1. Thereby, the communication control device can confirm that the operator attribute is successfully configured based on the notification information.
  • the authentication apparatus may further include a storage unit 205 for storing the attribute setting information, an encryption algorithm, and a decryption algorithm, for example, an SM4 data encryption and decryption algorithm and an SM3-HMAC. Algorithms, etc.
  • the authentication apparatus may further provide a data path conforming to a Transport Protocol Data Unit (TPDU) protocol, so that the authentication apparatus performs data transmission with the outside; and further, the authentication The device may also have a noise source read interface, and the description of the noise source read interface may also refer to the prior art.
  • TPDU Transport Protocol Data Unit
  • the authentication device may further include an ICCID query interface and an IMSI configuration information query interface, etc., for providing the communication control device of Embodiment 1 with the query result of the ICCID and the IMSI configuration information of the authentication device. .
  • the authentication device is capable of decrypting the encrypted attribute setting information sent by the server received by the communication control device of the mobile terminal, and then setting the operator attribute of the authentication device according to the attribute setting information.
  • the mobile terminal can communicate in a network provided by a network operator corresponding to the carrier attribute.
  • the embodiment of the present application provides a central control device, which is disposed at a server.
  • FIG. 3 is a schematic diagram of a composition of a central control device according to an embodiment of the present application.
  • the central control device 300 has a first receiving unit 301, a second authentication unit 302, and a second transmitting unit 303.
  • the first receiving unit 301 receives the identification information of the authentication device for performing mobile user identity authentication on the mobile terminal.
  • the identification information may be an integrated circuit card identifier, and the identification information may also be other.
  • the second authentication unit 302 performs identity authentication on the authentication device according to the identification information and the encryption information, and establishes a session key if the authentication is successful; the second sending unit 303 sends the session to the mobile terminal. a key and attribute setting information encrypted by the session key, so that the authentication device obtains the attribute setting information by decrypting, and setting an operator attribute of the authentication device according to the attribute setting information, wherein the attribute setting information Stored on this server.
  • the first receiving unit 301 can receive the ICCID of the authentication device from the communication control device 100 of Embodiment 1, for example, the first receiving unit 301 can invoke an interface in the server for communicating with the mobile terminal. To receive the ICCID.
  • the second authentication unit 302 can perform identity authentication on the authentication device according to the received ICCID and the encrypted information to determine whether to provide services for the authentication device. If the authentication fails, the central control device refuses to provide service for the authentication device; if the authentication is successful, the central control device provides service for the authentication device and establishes a session key.
  • the second sending unit 303 may invoke an interface in the server for communicating with the mobile terminal, and send the session key and the attribute setting information encrypted by the session key to the mobile terminal, so that the The authentication device obtains the attribute setting information by decrypting, and sets an operator attribute of the authentication device according to the attribute setting information.
  • the attribute setting information may be pre-stored in a database of the server, for example, and the central control device may obtain the attribute setting information by calling an interface that accesses the database, and use the session.
  • the key encrypts the attribute setting information.
  • the central control device 300 may further include a management unit 304 for managing the attribute setting information.
  • the management unit 304 may be configured to update the attribute setting information stored in the server according to the data of the network operator, for example, when the user reports the mobile phone number, the network operator may The information related to the mobile phone number in the database is cleared or changed. At this time, the central control device obtains the number of network operators through the interface provided for the network operator. According to the update information, the management unit 304 further performs update processing such as clearing or changing the attribute setting information stored in the server based on the data update information of the network operator.
  • the center control device 300 may further have an internet banking payment interface (not shown).
  • the network banking payment interface can be used for an authentication interface between the server and the network bank.
  • the central server can issue the attribute setting information to the authentication device in an encrypted manner, whereby the authentication device can obtain the attribute setting information in a secure manner and set its own carrier attribute to make the mobile
  • the terminal communicates in a network provided by a network operator corresponding to the carrier attribute.
  • Embodiment 4 of the present application provides a communication system, which is composed of the communication control device 100 of Embodiment 1, the authentication device 200 of Embodiment 2, and the central control device of Embodiment 3, and a detailed description of each component device of the system, Reference may be made to Embodiment 1 to Embodiment 3, and the description is not repeated in this embodiment.
  • FIG. 4 is a flow chart of setting a carrier attribute for an authentication device according to the present embodiment. As shown in Figure 4, the process includes:
  • S1 starting the communication control device 100, and acquiring identification information (for example, ICCID, etc.) of the authentication device and information on whether the IMSI is set;
  • identification information for example, ICCID, etc.
  • the communication control device 100 transmits the identification information to the central control device 300 (such as ICCID, etc.);
  • the central control device performs identity authentication according to the identification information (for example, ICCID, etc.) and the encrypted information.
  • the authentication is successful, the session key is established, and the IMSI and the Ki are encrypted by using the session key.
  • the communication control device 100 sends the session key and the encrypted IMSI and Ki to the authentication device 200;
  • the authentication device 200 decrypts according to the session key and the decryption algorithm to obtain the IMSI and Ki delivered by the server;
  • the authentication device 200 sets the IMSI and Ki in the authentication device 200 according to the IMSI and Ki delivered by the server;
  • the authentication device 200 transmits the notification information for successfully setting the IMSI and Ki to the communication control device 100.
  • an operator attribute can be set for the authentication device 200, that is, a card writing operation is performed on the authentication device.
  • the authentication device may also be controlled by the communication control device to delete the operator attribute, that is, perform a card clearing operation on the authentication device.
  • the communication control apparatus 100 can control the authentication apparatus to select the IMSI and Ki to make the mobile apparatus Switching to and communicating with the network provided by the operator corresponding to the selected IMSI and Ki.
  • the management unit 304 of the central control device 300 can update the attribute setting information stored in the server according to the data of the network operator, thereby stopping the providing of the service to the lost authentication device. That is, the authentication device is lost.
  • the network bank payment unit and the central control device 300 of the communication control device 100 can also have a network bank payment interface to implement the function of the network bank payment.
  • the intermediate links and restrictions of the conventional write card and the network access can be effectively reduced, and functions such as writing a card, clearing the card, and switching the network can be conveniently performed, thereby improving the user's autonomy.
  • the above device of the present application may be implemented by hardware or by hardware combined with software.
  • the present application relates to a computer readable program that, when executed by a logic component, enables the logic component to implement the apparatus or components described above, or to implement the various methods described above Or steps.
  • the application also relates to a storage medium for storing the above program, such as a hard disk, a magnetic disk, an optical disk, a DVD, a flash memory, or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Telephone Function (AREA)

Abstract

The present application provides a communication control device, an authentication device, a central control device, and a communication system. The communication control device controls the authentication device that is disposed on a mobile terminal and is used for authenticating the identity of a mobile user, so as to allow the mobile terminal to select different operator networks for communication. The communication control device comprises: a first acquiring unit, for acquiring identification information of the authentication device; a first authentication unit, for sending the identification information to a server to allow the server to perform identity authentication; a second acquiring unit, for acquiring a session key from the server and attribute setting information encrypted by means of the session key; and a first sending unit, for sending the session key and the encrypted attribute setting information to the authentication device to allow the authentication device to acquire the attribute setting information by means of decryption and set an operator attribute of the authentication device according to the attribute setting information. The present application can help a user autonomously rewrite the authentication device so as to select and use a network service of the operator.

Description

通信控制装置、鉴权装置、中心控制装置及通信系统Communication control device, authentication device, central control device, and communication system 技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种通信控制装置、鉴权装置以及中心控制装置。The present application relates to the field of communications technologies, and in particular, to a communication control device, an authentication device, and a central control device.
背景技术Background technique
客户识别模块(Subscriber Identity Module,SIM)卡,是用于实现移动用户身份鉴权的装置,每个用户的SIM卡都要由运营商写入不同的号码数据,从而使得在登陆移动网络后,能够被网络唯一识别并接入。A Subscriber Identity Module (SIM) card is a device for realizing mobile user identity authentication. Each user's SIM card is written by the operator with different number data, so that after logging in to the mobile network, Can be uniquely identified and accessed by the network.
为SIM卡写入号码数据的常见方法有远程写卡,远程写卡是运营商在运营过程中,当用户开户时,通过远程服务器下发数据到销售终端(Point Of Sells,POS),再利用写卡器即时向SIM卡中写入号码数据的一种操作。A common method for writing number data for a SIM card is a remote write card. The remote write card is used by the operator during the operation. When the user opens an account, the data is sent to the point of sale (POS) through the remote server. An operation in which a card writer instantly writes number data to a SIM card.
在现有技术中,还存在一种SIM贴膜卡技术,该技术是指通过在手机SIM卡和手机SIM卡槽之间增加一层具有双向输入输出(Input Output,IO)处理能力的桥接薄膜卡,从而在保证手机和SIM卡之间的命令正常交互的基础上,通过带有可编程的薄膜卡,实现自定义的扩展功能。常见的扩展功能包括对SIM卡的用户识别应用发展工具(SIM TOOL KIT,STK)扩展、空中下载(Over-The-Air,OTA)更新应用等。In the prior art, there is also a SIM film card card technology, which refers to adding a layer of bridge film card with bidirectional input and output (IO) processing capability between the SIM card of the mobile phone and the SIM card slot of the mobile phone. Therefore, on the basis of ensuring the normal interaction between the mobile phone and the SIM card, a customized expansion function is realized by having a programmable film card. Common extensions include SIM card user application development tools (SIM TOOL KIT, STK) extensions, over-the-air (OTA) update applications, and more.
应该注意,上面对技术背景的介绍只是为了方便对本申请的技术方案进行清楚、完整的说明,并方便本领域技术人员的理解而阐述的。不能仅仅因为这些方案在本申请的背景技术部分进行了阐述而认为上述技术方案为本领域技术人员所公知。It should be noted that the above description of the technical background is only for the purpose of facilitating a clear and complete description of the technical solutions of the present application, and is convenient for understanding by those skilled in the art. The above technical solutions are not considered to be well known to those skilled in the art simply because these aspects are set forth in the background section of this application.
申请内容Application content
本申请的发明人发现,在现有技术中,对于远程写卡,需要额外的写卡硬件设备进行支持,且使用者需前往营业厅由代办员办理。因此,现有的写入号码数据的方法在实际应用中存在以下问题:The inventor of the present application has found that in the prior art, for a remote write card, an additional write card hardware device is required for support, and the user needs to go to the business hall to be handled by the agent. Therefore, the existing method of writing number data has the following problems in practical applications:
1)由于垄断因素存在,国外运营商无法简单通过上述技术直接在国内为用户写卡、发卡; 1) Due to the existence of monopoly factors, foreign operators cannot simply write and issue cards for users directly through the above-mentioned technologies;
2)由于受硬件、特制SIM卡等限制,只能间接为用户发卡,用户无法自主、快捷对SIM卡完成写卡、清卡等操作,因此无法自主定制、更换运营商及服务;2) Due to the limitation of hardware and special SIM card, the card can only be issued indirectly to the user. The user cannot complete the card writing and card clearing operations on the SIM card, so it is impossible to customize and replace the operator and service.
3)上述技术及对应系统的设计是从各运营商单方运营角度出发,而非第三方公共平台,因而无法在一张SIM卡上,通过多号码写入、不同运营商号码切换等方式快捷为用户提供多运营商服务共享,或者重写号码信息以实现旧运营商的退出和新运营商的加入。3) The above-mentioned technologies and corresponding systems are designed from the perspective of unilateral operation of operators, rather than third-party public platforms, so they cannot be quickly opened on a SIM card by multi-number writing and switching of different carrier numbers. The user provides multi-operator service sharing, or rewrites the number information to implement the exit of the old operator and the joining of the new operator.
因此,上述三方面问题增加了网络运营商和移动网络用户的成本和不便。Therefore, the above three aspects increase the cost and inconvenience of network operators and mobile network users.
此外,对于SIM贴膜卡技术而言,现有技术主要将SIM贴膜卡以薄膜的形式附着于SIM卡的表面,结合使用来实现普通SIM卡的STK扩展,因而SIM贴膜卡主要起辅助SIM卡的作用,较少使SIM贴膜卡实现与SIM卡等同的用户身份识别及入网功能并进行应用拓展。In addition, for the SIM film card technology, the prior art mainly attaches the SIM film card to the surface of the SIM card in the form of a film, and combines to realize the STK expansion of the ordinary SIM card, so the SIM film card mainly serves as the auxiliary SIM card. The function is to make the SIM film card card realize the same user identification and network access function as the SIM card and expand the application.
本申请实施例提供一种通信控制装置、鉴权装置、中心控制装置及通信系统,由中心控制装置对鉴权装置进行认证并下发属性设置信息,并通过通信控制装置对鉴权装置进行控制,以使该鉴权装置根据该属性设置信息设置自身的属性,从而实现移动终端可以选择不同运营商网络进行通信。The embodiment of the present application provides a communication control device, an authentication device, a central control device, and a communication system. The central control device authenticates the authentication device and issues attribute setting information, and controls the authentication device through the communication control device. So that the authentication device sets its own attributes according to the attribute setting information, so that the mobile terminal can select different carrier networks for communication.
根据本申请实施例的一个方面,提供一种通信控制装置,对设置于移动终端的用于进行移动用户身份鉴权的鉴权装置进行控制,以使所述移动终端可以选择不同运营商网络进行通信,该通信控制装置具有:According to an aspect of the embodiments of the present application, a communication control apparatus is provided, which controls an authentication apparatus for performing mobile user identity authentication on a mobile terminal, so that the mobile terminal can select a different carrier network. Communication, the communication control device has:
第一获取单元,其用于获取所述鉴权装置的识别信息;a first obtaining unit, configured to acquire identification information of the authentication device;
第一认证单元,其用于将所述识别信息发送给服务器,以便所述服务器对所述鉴权装置进行身份认证;a first authentication unit, configured to send the identification information to a server, so that the server performs identity authentication on the authentication device;
第二获取单元,其用于获取来自服务器的会话密钥,以及经所述会话密钥加密的属性设置信息;以及a second obtaining unit, configured to acquire a session key from the server, and attribute setting information encrypted by the session key;
第一发送单元,其用于将所述会话密钥和所述加密的属性设置信息发送给所述鉴权装置,以便所述鉴权装置通过解密得到所述属性设置信息,并根据所述属性设置信息来设置所述鉴权装置的运营商属性,其中,所述属性设置信息至少具有国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)和鉴权密钥(Key identifier,Ki)等。a first sending unit, configured to send the session key and the encrypted attribute setting information to the authentication device, so that the authentication device obtains the attribute setting information by decrypting, and according to the attribute Setting information to set an operator attribute of the authentication device, wherein the attribute setting information has at least an International Mobile Subscriber Identification Number (IMSI) and an authentication key (Key identifier, Ki).
根据本申请实施例的另一个方面,其中,所述通信控制装置设置于所述移动终端。 According to another aspect of the embodiments of the present application, the communication control device is provided to the mobile terminal.
根据本申请实施例的另一个方面,其中,所述通信控制装置还具有切换控制单元,According to another aspect of the embodiments of the present application, the communication control device further has a switching control unit,
切换控制单元,其用于接收所述鉴权装置成功设置所述运营商属性的通知,并且,在所述运营商属性为两个以上的情况下,根据接收到的切换指令对运营商属性进行选择,以使所述移动终端切换到与所选择的运营商属性对应的网络中进行通信。a handover control unit, configured to receive a notification that the authentication device successfully sets the operator attribute, and, if the carrier attribute is two or more, perform carrier attribute according to the received handover instruction Selecting to cause the mobile terminal to switch to communicate with a network corresponding to the selected carrier attribute.
根据本申请实施例的另一个方面,其中,所述通信控制装置还具有:According to another aspect of the embodiments of the present application, the communication control device further has:
删除控制单元,其用于根据接收到的删除指令控制所述鉴权装置删除所述运营商属性。And a deletion control unit, configured to control the authentication device to delete the operator attribute according to the received deletion instruction.
根据本申请实施例的再一个方面,提供一种鉴权装置,设置于移动终端,用于进行移动用户身份鉴权,以使所述移动终端在网络中通信,该鉴权装置具有:According to still another aspect of the embodiments of the present application, an authentication apparatus is provided, configured to be used by a mobile terminal to perform mobile user identity authentication, so that the mobile terminal communicates in a network, the authentication apparatus having:
第三获取单元,其用于经由所述移动终端的通信控制装置获取服务器下发的会话密钥,以及经所述会话密钥加密的属性设置信息;a third obtaining unit, configured to acquire, by the communication control device of the mobile terminal, a session key delivered by the server, and attribute setting information encrypted by the session key;
解密单元,其用于根据解密算法和所述会话密钥,对经所述会话密钥加密的属性设置信息进行解密,以得到所述属性设置信息;a decryption unit, configured to decrypt the attribute setting information encrypted by the session key according to the decryption algorithm and the session key, to obtain the attribute setting information;
设置单元,其用于根据所述属性设置信息来设置所述鉴权装置的运营商属性。And a setting unit configured to set an operator attribute of the authentication device according to the attribute setting information.
根据本申请实施例的另一个方面,其中,所述鉴权装置还具备存储单元,其存储所述属性设置信息、加密算法和所述解密算法。According to another aspect of the embodiments of the present application, the authentication apparatus further includes a storage unit that stores the attribute setting information, an encryption algorithm, and the decryption algorithm.
根据本申请实施例的另一个方面,其中,所述鉴权装置还具备通知单元,其在所述设置单元成功设置所述运营商属性之后,发送通知信息。According to another aspect of the embodiments of the present application, the authentication device further includes a notification unit that transmits the notification information after the setting unit successfully sets the operator attribute.
根据本申请实施例的另一个方面,其中,所述鉴权装置是客户识别模块(Subscriber Identity Module,SIM)卡、与所述客户识别模块卡贴合的芯片、或者与所述客户识别模块卡具有同等功能的内置于所述移动终端的装置。According to another aspect of the embodiments of the present application, the authentication device is a Subscriber Identity Module (SIM) card, a chip that is attached to the customer identification module card, or the customer identification module card. A device built into the mobile terminal having an equivalent function.
根据本申请实施例的又一个方面,提供一种中心控制装置,设置于服务器,所述中心控制装置具有:According to still another aspect of the embodiments of the present application, a central control device is provided, which is disposed at a server, and the central control device has:
第一接收单元,其接收设置于移动终端的用于进行移动用户身份鉴权的鉴权装置的识别信息;a first receiving unit, which receives identification information of an authentication device for performing mobile user identity authentication provided on the mobile terminal;
第二认证单元,其用于根据所述识别信息和加密信息,对所述鉴权装置进行身份认证,并且在认证成功的情况下建立会话密钥;以及a second authentication unit, configured to perform identity authentication on the authentication device according to the identification information and the encryption information, and establish a session key if the authentication is successful;
第二发送单元,其用于向所述移动终端发送所述会话密钥和经所述会话密钥加密的属性设置信息,以便所述鉴权装置通过解密得到所述属性设置信息,并根据所述属 性设置信息来设置所述鉴权装置的运营商属性,其中,所述属性设置信息存储于所述服务器。a second sending unit, configured to send the session key and the attribute setting information encrypted by the session key to the mobile terminal, so that the authentication device obtains the attribute setting information by decrypting, and according to the Genus The attribute setting information is used to set an operator attribute of the authentication device, wherein the attribute setting information is stored in the server.
根据本申请实施例的另一个方面,其中,该中心控制装置还具有管理单元,其用于对所述属性设置信息进行管理。。According to another aspect of the embodiments of the present application, the central control device further has a management unit for managing the attribute setting information. .
本申请的有益效果在于:该通信控制装置可以将从服务器获得的加密的属性设置信息和会话密钥发送给鉴权装置,并且,该鉴权装置可以根据服务器下发的属性设置信息,来设置或更新该鉴权装置自身的运营商属性,由此,使用者通过通信控制装置就能够对鉴权装置便捷地进行写卡,提高了使用者写卡的灵活性,使鉴权装置具备多个运营商的号码资源,实现使用者能够随时随地自主选择使用多个运营商的网络服务。The utility model has the beneficial effects that the communication control device can send the encrypted attribute setting information and the session key obtained from the server to the authentication device, and the authentication device can set according to the attribute setting information delivered by the server. Or updating the operator attribute of the authentication device, so that the user can conveniently write the card to the authentication device through the communication control device, thereby improving the flexibility of the user to write the card, and the authentication device has multiple The number resource of the operator enables the user to independently select and use the network service of multiple operators at any time and place.
参照后文的说明和附图,详细公开了本申请的特定实施方式,指明了本申请的原理可以被采用的方式。应该理解,本申请的实施方式在范围上并不因而受到限制。在所附权利要求的精神和条款的范围内,本申请的实施方式包括许多改变、修改和等同。Specific embodiments of the present application are disclosed in detail with reference to the following description and accompanying drawings, in which <RTIgt; It should be understood that the embodiments of the present application are not limited in scope. The embodiments of the present application include many variations, modifications, and equivalents within the scope of the appended claims.
针对一种实施方式描述和/或示出的特征可以以相同或类似的方式在一个或更多个其它实施方式中使用,与其它实施方式中的特征相组合,或替代其它实施方式中的特征。Features described and/or illustrated with respect to one embodiment may be used in one or more other embodiments in the same or similar manner, in combination with, or in place of, features in other embodiments. .
应该强调,术语“包括/包含”在本文使用时指特征、整件、步骤或组件的存在,但并不排除一个或更多个其它特征、整件、步骤或组件的存在或附加。It should be emphasized that the term "comprising" or "comprises" or "comprising" or "comprising" or "comprising" or "comprising" or "comprises"
附图说明DRAWINGS
所包括的附图用来提供对本申请实施例的进一步的理解,其构成了说明书的一部分,用于例示本申请的实施方式,并与文字描述一起来阐释本申请的原理。显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。在附图中:The drawings are included to provide a further understanding of the embodiments of the present application, and are intended to illustrate the embodiments of the present application Obviously, the drawings in the following description are only some of the embodiments of the present application, and those skilled in the art can obtain other drawings according to the drawings without any inventive labor. In the drawing:
图1是本申请实施例的通信控制装置的一组成示意图;1 is a schematic diagram of a composition of a communication control apparatus according to an embodiment of the present application;
图2是本申请实施例的鉴权装置的一组成示意图;2 is a schematic diagram of a composition of an authentication apparatus according to an embodiment of the present application;
图3是本申请实施例的中心控制装置的一组成示意图;3 is a schematic diagram of a composition of a central control device according to an embodiment of the present application;
图4是根据本实施例的通信系统为鉴权装置设置运营商属性的一个流程图。 4 is a flow chart of setting a carrier attribute for an authentication device according to the present embodiment.
具体实施方式detailed description
参照附图,通过下面的说明书,本申请的前述以及其它特征将变得明显。在说明书和附图中,具体公开了本申请的特定实施方式,其表明了其中可以采用本申请的原则的部分实施方式,应了解的是,本申请不限于所描述的实施方式,相反,本申请包括落入所附权利要求的范围内的全部修改、变型以及等同物。下面结合附图对本申请的各种实施方式进行说明。这些实施方式只是示例性的,不是对本申请的限制。The foregoing and other features of the present application will be apparent from the description, The specific embodiments of the present application are specifically disclosed in the specification and the drawings, which illustrate a part of the embodiments in which the principles of the present application may be employed, it being understood that the present application is not limited to the described embodiments, but instead The application includes all modifications, variations and equivalents falling within the scope of the appended claims. Various embodiments of the present application will be described below with reference to the accompanying drawings. These embodiments are merely exemplary and are not limiting of the application.
在本申请中,通信控制装置和中心控制装置可以由软件实现,例如,该通信控制装置可以是移动终端使用的应用程序(Application,APP),该中心控制装置可以是服务器所使用的程序;然而,本实施例并不限于此,该通信控制装置和中心控制装置还可以由硬件实现,也可以由硬件结合软件实现,具体的实现方式可以参考现有技术。In the present application, the communication control device and the central control device may be implemented by software. For example, the communication control device may be an application (Application, APP) used by the mobile terminal, and the central control device may be a program used by the server; The present embodiment is not limited thereto, and the communication control device and the central control device may be implemented by hardware or may be implemented by hardware and software. For specific implementation, reference may be made to the prior art.
在本申请中,该鉴权装置可以是客户识别模块(Subscriber Identity Module,SIM)卡,与该客户识别模块卡贴合的芯片例如SIM贴膜卡,或者与该客户识别模块卡具有同等功能的集成到该移动终端的装置例如eSIM卡等;该鉴权装置各部件的功能可以由运行在该鉴权装置上的软件来实现,例如,该软件可以是芯片上的操作系统(Chip Operation System,COS)。然而,本实施例并不限于此,该鉴权装置各部件的功能还可以由硬件实现,也可以由硬件结合软件实现,具体的实现方式可以参考现有技术。In the present application, the authentication device may be a Subscriber Identity Module (SIM) card, a chip attached to the customer identification module card, such as a SIM film card, or an equivalent function integration with the customer identification module card. The device to the mobile terminal, such as an eSIM card or the like; the functions of the components of the authentication device can be implemented by software running on the authentication device. For example, the software can be an on-chip operating system (Chip Operation System, COS). ). However, the present embodiment is not limited thereto, and the functions of the components of the authentication device may also be implemented by hardware, or may be implemented by hardware and software. The specific implementation manner may refer to the prior art.
在本申请中,移动终端可以是功能手机、智能手机或平板电脑等便携式电子设备。In the present application, the mobile terminal may be a portable electronic device such as a feature phone, a smartphone or a tablet.
实施例1Example 1
本申请实施例提供一种通信控制装置,对设置于移动终端的用于进行移动用户身份鉴权的鉴权装置进行控制,以使该移动终端可以选择不同运营商网络进行通信。The embodiment of the present application provides a communication control apparatus, which controls an authentication apparatus for performing mobile user identity authentication on a mobile terminal, so that the mobile terminal can select different carrier networks for communication.
图1是本实施例的通信控制装置的一个构成示意图,如图1所示,该通信控制装置100可以具备第一获取单元101、第一认证单元102、第二获取单元103和第一发送单元104。1 is a schematic diagram of a configuration of a communication control apparatus according to the present embodiment. As shown in FIG. 1, the communication control apparatus 100 may be provided with a first acquisition unit 101, a first authentication unit 102, a second acquisition unit 103, and a first transmission unit. 104.
其中,第一获取单元101用于获取该鉴权装置的识别信息,例如,该识别信息可以是集成电路卡识别码(Integrate Circuit Card Identity,ICCID),当然该识别信息也可以是其它的信息;第一认证单元102用于将该识别信息发送给服务器,以便该服务器对该鉴权装置进行身份认证;第二获取单元103用于获取来自服务器的会话密钥,以及经该会话密钥加密的属性设置信息;第一发送单元104用于将该会话密钥和该加 密的属性设置信息发送给该鉴权装置,以便该鉴权装置通过解密得到该属性设置信息,并根据该属性设置信息来设置该鉴权装置的运营商属性。The first obtaining unit 101 is configured to obtain the identification information of the authentication device. For example, the identification information may be an Integrated Circuit Card Identity (ICCID). Of course, the identification information may also be other information. The first authentication unit 102 is configured to send the identification information to the server, so that the server performs identity authentication on the authentication device; the second obtaining unit 103 is configured to acquire a session key from the server, and is encrypted by the session key. Attribute setting information; the first sending unit 104 is configured to use the session key and the adding The secret attribute setting information is sent to the authentication device, so that the authentication device obtains the attribute setting information by decrypting, and sets the operator attribute of the authentication device according to the attribute setting information.
在本实施例中,该属性设置信息例如可以是国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)和鉴权密钥(Key identifier,Ki)等;然而本实施并不限于此,该属性设置信息还可以是其它的信息,只要能控制该鉴权设备设置其运营商属性以使移动终端能够在与该运营商属性对应的网络通信即可。In this embodiment, the attribute setting information may be, for example, an International Mobile Subscriber Identification Number (IMSI) and an authentication key (Key identifier, Ki), etc.; however, the implementation is not limited thereto, and the attribute is not limited thereto. The setting information may also be other information as long as the authentication device can be controlled to set its carrier attribute to enable the mobile terminal to communicate with the network corresponding to the carrier attribute.
通过本实施例,该通信控制装置可以将从服务器获得的加密的属性设置信息和会话密钥发送给鉴权装置,由此,在该通信控制装置的控制下,该鉴权装置可以根据服务器下发的属性设置信息,例如IMSI和Ki等信息,来设置或更新该鉴权装置自身的运营商属性,该运营商属性例如可以是IMSI和Ki等,由此,用户能够以便捷的方式对鉴权装置进行写卡,从而在选择了该运营商属性的情况下,使用相应的电话号码在与该运营商属性对应的网络中进行通信。With the present embodiment, the communication control apparatus can transmit the encrypted attribute setting information and the session key obtained from the server to the authentication apparatus, whereby the authentication apparatus can be under the control of the communication control apparatus The attribute setting information, such as IMSI and Ki, is set to set or update the operator attribute of the authentication device itself, and the carrier attribute may be, for example, IMSI and Ki, etc., thereby enabling the user to authenticate in a convenient manner. The rights device writes the card, so that if the carrier attribute is selected, the corresponding phone number is used to communicate in the network corresponding to the carrier attribute.
在本实施例中,该第一获取单元101可以通过该鉴权装置的ICCID查询接口,来获取该鉴权装置的ICCID;此外,该第一获取单元101还可以获取该鉴权装置的运营商属性是否被设置的信息,例如,该第一获取单元101可以通过该鉴权装置的IMSI配置信息查询接口来获取该鉴权装置的IMSI是否被配置的信息。In this embodiment, the first obtaining unit 101 can obtain the ICCID of the authentication device by using the ICCID query interface of the authentication device. In addition, the first obtaining unit 101 can also obtain the operator of the authentication device. If the attribute is set, for example, the first obtaining unit 101 can obtain information about whether the IMSI of the authentication device is configured through the IMSI configuration information query interface of the authentication device.
在本实施例中,如果该通信控制装置获取到该鉴权装置的运营商属性还没有被设置,可以请求服务器下发属性设置信息,如果该通信控制装置获取到该鉴权装置的运营商属性已经被设置,可以使该移动终端使用与该运营商属性对应的网络进行通信。In this embodiment, if the communication control device acquires that the operator attribute of the authentication device has not been set, the server may be requested to send the attribute setting information, if the communication control device acquires the carrier attribute of the authentication device. It has been set up to enable the mobile terminal to communicate using a network corresponding to the carrier attribute.
在本实施例中,第一认证单元102例如可以调用该通信控制装置的服务器交互接口向该服务器发送该鉴权装置的ICCID,以便服务器根据该ICCID对该鉴权装置进行身份认证。如果身份认证成功,那么该服务器可以对该鉴权装置提供服务,如果身份认证不成功,说明该鉴权装置没有提前登记于该服务器,不属于该服务器的服务对象。此外,该第一认证单元102还可以对该服务器进行身份认证,以确认该服务器是否合法的服务器,防止移动终端连接到伪服务器。在本实施例中,服务器对鉴权装置进行认证以及通信控制装置对服务器进行身份认证的具体方式可以是现有技术中的方式,本实施例不做特别限制。In this embodiment, the first authentication unit 102 may, for example, invoke the server interaction interface of the communication control device to send the ICCID of the authentication device to the server, so that the server performs identity authentication on the authentication device according to the ICCID. If the identity authentication succeeds, the server can provide the service to the authentication device. If the identity authentication is unsuccessful, the authentication device is not registered in the server in advance and does not belong to the server. In addition, the first authentication unit 102 can also perform identity authentication on the server to confirm whether the server is a legitimate server, and prevent the mobile terminal from connecting to the pseudo server. In this embodiment, the specific manner in which the server authenticates the authentication device and the communication control device performs identity authentication on the server may be in the prior art, and is not particularly limited in this embodiment.
在本实施例中,第二获取单元103例如可以调用该通信控制装置的服务器交互接口,来接收来自服务器的会话密钥以及加密的属性设置信息。并且,在本实施例中, 来自服务器的加密的属性设置信息可以是两个以上,由此,可以在该鉴权装置中设置两个以上的运营商属性,该两个以上的属性可以分别对应不同的网络运营商,从而使该移动终端可以在多个不同的网络运营商提供的网络间切换。In this embodiment, the second obtaining unit 103 may, for example, invoke a server interaction interface of the communication control device to receive a session key from the server and encrypted attribute setting information. And, in this embodiment, The encrypted attribute setting information from the server may be two or more, whereby two or more operator attributes may be set in the authentication device, and the two or more attributes may respectively correspond to different network operators, thereby The mobile terminal can switch between networks provided by a plurality of different network operators.
在本实施例中,第一发送单元104例如可以通过与该鉴权装置进行数据交互的接口,向该鉴权装置发送会话密钥以及加密的属性设置信息,以便所述鉴权装置通过解密得到所述属性设置信息,并根据所述属性设置信息来设置所述鉴权装置的运营商属性。In this embodiment, the first sending unit 104 can send a session key and encrypted attribute setting information to the authentication device, for example, through an interface for data interaction with the authentication device, so that the authentication device obtains the decryption by decryption. The attribute setting information, and setting an operator attribute of the authentication device according to the attribute setting information.
在本实施例中,如图1所示,该通信控制装置100还可以具有切换控制单元105,其用于接收所述鉴权装置成功设置所述运营商属性的通知,并且,在所述运营商属性为两个以上的情况下,根据接收到的切换指令对运营商属性进行选择,以使所述移动终端切换到与所选择的运营商属性对应的网络中进行通信。例如,该移动终端的鉴权装置被设置有两个以上的运营商属性,或者该移动终端设置有两个以上的鉴权装置,且每个鉴权装置都被设置有至少一个运营商属性的情况下,可以在该移动终端的用户界面(User Iterface,UI)上显示该两个以上的运营商属性所对应的运营商,并且用户在界面上对某一运营商的选择操作可以被转化为切换指令发送到该切换控制单元,进而,该切换控制单元向该鉴权装置发送控制信号,以使该鉴权装置选择与用户所选择的运营商对应的IMSI和Ki,以使所述移动终端切换到与所选择的IMSI和Ki对应的网络中进行通信。在本实施例中,鉴权装置选择相应的IMSI和Ki,以使移动终端在相应的网络中进行通信的具体方法,可以参考现有技术,本实施例不再赘述。In this embodiment, as shown in FIG. 1, the communication control apparatus 100 may further have a handover control unit 105 for receiving a notification that the authentication apparatus successfully sets the operator attribute, and in the operation In the case where the quotient attribute is two or more, the operator attribute is selected according to the received switching instruction, so that the mobile terminal switches to communicate with the network corresponding to the selected carrier attribute. For example, the authentication device of the mobile terminal is provided with more than two carrier attributes, or the mobile terminal is provided with more than two authentication devices, and each authentication device is provided with at least one operator attribute In this case, the operator corresponding to the two or more operator attributes may be displayed on the user interface (UI) of the mobile terminal, and the user's selection operation on an interface on the interface may be converted into The switching instruction is sent to the switching control unit, and further, the switching control unit sends a control signal to the authentication device, so that the authentication device selects the IMSI and Ki corresponding to the operator selected by the user, so that the mobile terminal Switching to communication in the network corresponding to the selected IMSI and Ki. In this embodiment, the specific method for the authentication device to select the corresponding IMSI and Ki to enable the mobile terminal to communicate in the corresponding network may refer to the prior art, and details are not described herein again.
该切换控制单元105可以选择其中的一个运营商属性,以使该移动切换到与所选择的运营商属性对应的网络中进行通信。The handover control unit 105 can select one of the operator attributes to cause the mobile to switch to communicate with the network corresponding to the selected carrier attribute.
在本实施例中,如图1所示,该通信控制装置100还可以具有删除控制单元106,其用于控制所述鉴权装置删除所述运营商属性,例如,该删除控制单元106可以通过与该鉴权装置进行数据交互的接口,向该鉴权装置发送删除运营商属性的控制指令,以便该鉴权装置根据该控制指令删除相应的运营商属性。In this embodiment, as shown in FIG. 1, the communication control apparatus 100 may further have a deletion control unit 106 for controlling the authentication apparatus to delete the operator attribute. For example, the deletion control unit 106 may pass The interface for performing data interaction with the authentication device sends a control command for deleting the operator attribute to the authentication device, so that the authentication device deletes the corresponding operator attribute according to the control instruction.
在本申请中,通信控制装置可以经由移动终端的网络连接模块通过无线局域网等连接到互联网,从而与服务器进行数据交互,由此,在运营商的移动网络无法覆盖的情况下,也可以为鉴权装置设置运营商属性。In the present application, the communication control device can connect to the Internet via a wireless local area network or the like via a network connection module of the mobile terminal, thereby performing data interaction with the server, thereby being able to learn from the case where the operator's mobile network cannot be covered. The device sets the carrier attribute.
此外,在本实施例中,该通信控制装置100还可以具有网络银行支付单元(图未 示),该网银支付单元用于提供网银支付功能,关于该网银支付单元的实现方式,可以参考现有技术,本实施例不再赘述。In addition, in this embodiment, the communication control apparatus 100 may further have an online banking payment unit (not shown). The online banking payment unit is used to provide the online banking payment function. For the implementation manner of the online banking payment unit, reference may be made to the prior art, which is not described in this embodiment.
在本实施例中,该通信控制装置100可以被设置于该移动终端,从而控制该移动终端的鉴权装置。但本实施例并不限于此,该通信装置100还可以被设置于其它的移动终端或电子设备,通过远程控制的方式控制本移动终端上的该鉴权装置。In this embodiment, the communication control device 100 can be disposed on the mobile terminal to control the authentication device of the mobile terminal. However, the embodiment is not limited thereto, and the communication device 100 can also be disposed on other mobile terminals or electronic devices to control the authentication device on the mobile terminal by remote control.
通过本申请的实施例,该通信控制装置可以将从服务器获得的加密的属性设置信息和会话密钥发送给鉴权装置,由此,在该通信控制装置的控制下,该鉴权装置可以根据服务器下发的属性性设置信息,例如IMSI和Ki等信息,来设置或更新该鉴权装置自身的运营商属性,例如IMSI和Ki等;并且,通过设置切换控制单元,可以使移动终端在不同的网络间切换,而无需更换鉴权装置,由此,用户能够方便地对移动终端所使用的运营商网络进行切换;并且,通信控制装置可以通过无线局域网等连接到互联网,并与服务器进行数据交互,从而为鉴权装置设置运营商属性,由此,能够不依赖移动网络的覆盖而进行写卡。With the embodiment of the present application, the communication control apparatus can transmit the encrypted attribute setting information and the session key obtained from the server to the authentication apparatus, whereby the authentication apparatus can be based on the control apparatus under the control of the communication control apparatus Attribute setting information delivered by the server, such as information such as IMSI and Ki, to set or update the operator attributes of the authentication device itself, such as IMSI and Ki, etc.; and, by setting the switching control unit, the mobile terminal can be made different Switching between networks without replacing the authentication device, whereby the user can conveniently switch the carrier network used by the mobile terminal; and the communication control device can connect to the Internet through a wireless local area network or the like, and perform data with the server. The interaction is to set the operator attribute for the authentication device, whereby the card can be written without relying on the coverage of the mobile network.
实施例2Example 2
本申请实施例提供一种鉴权装置,其设置于移动终端,用于进行移动用户身份鉴权,以使所述移动终端在网络中通信,并且,该鉴权装置被实施例1所述的通信控制装置所控制。The embodiment of the present application provides an authentication device, which is disposed in a mobile terminal, is configured to perform mobile user identity authentication, so that the mobile terminal communicates in a network, and the authentication device is described in Embodiment 1. Controlled by the communication control device.
图2是本实施例的鉴权装置的一个组成示意图,如图2所示,该鉴权装置可以具有第三获取单元201,解密单元202和设置单元203。FIG. 2 is a schematic diagram of a composition of the authentication apparatus of the embodiment. As shown in FIG. 2, the authentication apparatus may have a third obtaining unit 201, a decrypting unit 202, and a setting unit 203.
其中,第三获取单元201,其用于经由所述移动终端的通信控制装置获取服务器下发的会话密钥,以及经所述会话密钥加密的属性设置信息;解密单元202用于根据解密算法和所述会话密钥,进行解密,以得到所述属性设置信息;设置单元203用于根据所述属性设置信息来设置所述鉴权装置的运营商属性。The third obtaining unit 201 is configured to acquire, by the communication control device of the mobile terminal, a session key sent by the server, and attribute setting information encrypted by the session key; and the decrypting unit 202 is configured to use the decryption algorithm. And decrypting the session key to obtain the attribute setting information; the setting unit 203 is configured to set an operator attribute of the authentication device according to the attribute setting information.
在本实施例中,该第三获取单元201可以通过与实施例1的通信控制装置100进行数据交互的接口,从该通信控制装置100获取服务器下发的会话密钥和经过该会话密钥加密的属性设置信息。In this embodiment, the third obtaining unit 201 can obtain the session key sent by the server from the communication control device 100 and encrypt the session key through the interface of the data communication with the communication control device 100 of the embodiment 1. Property setting information.
在本实施例中,解密单元202可以根据解密算法和该会话密钥,对经过该会话密钥加密的属性设置信息进行解密,以获得该属性设置信息。自本实施例中,该解密 算法例如可以是SM4数据解密算法和/或SM3-HMAC(Hash-based Message Authentication Code)算法,并且,该解密单元202例如可以通过调用SM4数据加解密接口和/或SM3-HMAC算法接口等,来实施该解密操作,以获得该属性设置信息,例如IMSI和KI。当然,本实施例并不限于此,还可以采用其它的解密算法进行解密。In this embodiment, the decryption unit 202 may decrypt the attribute setting information encrypted by the session key according to the decryption algorithm and the session key to obtain the attribute setting information. In this embodiment, the decryption The algorithm may be, for example, an SM4 data decryption algorithm and/or a SM3-HMAC (Hash-based Message Authentication Code) algorithm, and the decryption unit 202 may be, for example, by calling an SM4 data encryption/decryption interface and/or an SM3-HMAC algorithm interface. The decryption operation is performed to obtain the attribute setting information, such as IMSI and KI. Of course, the embodiment is not limited thereto, and other decryption algorithms may be used for decryption.
在本实施例中,该设置单元203可以根据属性设置信息来设置该鉴权装置自身的运营商属性,例如,该设置单元203可以调用IMSI配置接口和Ki配置接口,并根据解密得到的服务器下发的IMSI和Ki,来设置该鉴权设备自身的IMSI和Ki,其中,IMSI可以对移动网络的用户进行区分识别,Ki是该鉴权设备与运营商之间加密数据传递的密钥,并且,根据IMSI和Ki,该移动终端可以在与该ISMI和Ki对应的网络运营商提供的网络中进行通信。In this embodiment, the setting unit 203 may set the operator attribute of the authentication device according to the attribute setting information. For example, the setting unit 203 may invoke the IMSI configuration interface and the Ki configuration interface, and obtain the server according to the decryption. The IMSI and Ki are sent to set the IMSI and Ki of the authentication device itself, wherein the IMSI can distinguish and identify the user of the mobile network, and Ki is the key for encrypting data transmission between the authentication device and the operator, and According to IMSI and Ki, the mobile terminal can communicate in a network provided by a network operator corresponding to the ISMI and Ki.
在本实施例中,如图1所示,该鉴权装置还可以具有通知单元204,其在所述设置单元203成功设置所述运营商属性之后,向实施例1的通信控制装置发送通知信息,由此,该通信控制装置能够根据该通知信息,确认所述运营商属性被成功配置。In this embodiment, as shown in FIG. 1, the authentication apparatus may further have a notification unit 204, after the setting unit 203 successfully sets the operator attribute, send notification information to the communication control apparatus of Embodiment 1. Thereby, the communication control device can confirm that the operator attribute is successfully configured based on the notification information.
在本实施例中,如图1所示,该鉴权装置还可以具备存储单元205,其用于存储所述属性设置信息、加密算法和解密算法,例如,SM4数据加解密算法和SM3-HMAC算法等。In this embodiment, as shown in FIG. 1, the authentication apparatus may further include a storage unit 205 for storing the attribute setting information, an encryption algorithm, and a decryption algorithm, for example, an SM4 data encryption and decryption algorithm and an SM3-HMAC. Algorithms, etc.
此外,在本实施例中,该鉴权装置还可以提供符合传输协议数据单元(Transport Protocol Data Unit,TPDU)协议的数据通路,以便于该鉴权装置与外部进行数据传输;此外,该鉴权装置还可以具有噪声源读取接口,对于该噪声源读取接口的说明也可以参考现有技术。In addition, in this embodiment, the authentication apparatus may further provide a data path conforming to a Transport Protocol Data Unit (TPDU) protocol, so that the authentication apparatus performs data transmission with the outside; and further, the authentication The device may also have a noise source read interface, and the description of the noise source read interface may also refer to the prior art.
此外,在本实施例中,该鉴权装置还可以具有ICCID查询接口和IMSI配置信息查询接口等,用于向实施例1的通信控制装置提供该鉴权装置的ICCID和IMSI配置信息的查询结果。In addition, in this embodiment, the authentication device may further include an ICCID query interface and an IMSI configuration information query interface, etc., for providing the communication control device of Embodiment 1 with the query result of the ICCID and the IMSI configuration information of the authentication device. .
根据本实施例,该鉴权装置能够经由移动终端的通信控制装置接收的服务器下发的加密的属性设置信息,并解密,进而根据该属性设置信息设置该鉴权装置自身的运营商属性,由此,使该移动终端可以在与该运营商属性对应的网络运营商提供的网络中进行通信。According to the embodiment, the authentication device is capable of decrypting the encrypted attribute setting information sent by the server received by the communication control device of the mobile terminal, and then setting the operator attribute of the authentication device according to the attribute setting information. Thus, the mobile terminal can communicate in a network provided by a network operator corresponding to the carrier attribute.
实施例3 Example 3
本申请实施例提供一种中心控制装置,其设置于服务器。The embodiment of the present application provides a central control device, which is disposed at a server.
图3是本申请实施例的中心控制装置的一个组成示意图,如图3所示,该中心控制装置300具有第一接收单元301,第二认证单元302和第二发送单元303。FIG. 3 is a schematic diagram of a composition of a central control device according to an embodiment of the present application. As shown in FIG. 3, the central control device 300 has a first receiving unit 301, a second authentication unit 302, and a second transmitting unit 303.
其中,该第一接收单元301接收设置于移动终端的用于进行移动用户身份鉴权的鉴权装置的识别信息,例如该识别信息可以是集成电路卡识别码,当然该识别信息也可以是其它的信息;第二认证单元302根据该识别信息和加密信息,对所述鉴权装置进行身份认证,并且在认证成功的情况下建立会话密钥;第二发送单元303向该移动终端发送该会话密钥和经该会话密钥加密的属性设置信息,以便该鉴权装置通过解密得到该属性设置信息,并根据该属性设置信息来设置该鉴权装置的运营商属性,其中,该属性设置信息存储于该服务器。The first receiving unit 301 receives the identification information of the authentication device for performing mobile user identity authentication on the mobile terminal. For example, the identification information may be an integrated circuit card identifier, and the identification information may also be other. The second authentication unit 302 performs identity authentication on the authentication device according to the identification information and the encryption information, and establishes a session key if the authentication is successful; the second sending unit 303 sends the session to the mobile terminal. a key and attribute setting information encrypted by the session key, so that the authentication device obtains the attribute setting information by decrypting, and setting an operator attribute of the authentication device according to the attribute setting information, wherein the attribute setting information Stored on this server.
在本实施例中,第一接收单元301可以从实施例1的通信控制装置100接收鉴权装置的ICCID,例如,该第一接收单元301可以调用该服务器中用于与移动终端进行通信的接口,来接收该ICCID。In this embodiment, the first receiving unit 301 can receive the ICCID of the authentication device from the communication control device 100 of Embodiment 1, for example, the first receiving unit 301 can invoke an interface in the server for communicating with the mobile terminal. To receive the ICCID.
在本实施例中,该第二认证单元302可以根据接收到的ICCID和加密信息来对该鉴权装置进行身份认证,以决定是否为该鉴权装置提供服务。如果认证失败,该中心控制装置拒绝为该鉴权装置提供服务;如果认证成功,则中心控制装置为该鉴权装置提供服务,并且建立会话密钥。In this embodiment, the second authentication unit 302 can perform identity authentication on the authentication device according to the received ICCID and the encrypted information to determine whether to provide services for the authentication device. If the authentication fails, the central control device refuses to provide service for the authentication device; if the authentication is successful, the central control device provides service for the authentication device and establishes a session key.
在本实施例中,该第二发送单元303可以调用该服务器中用于与移动终端进行通信的接口,向移动终端发送该会话密钥和经过该会话密钥加密的属性设置信息,以便所述鉴权装置通过解密得到所述属性设置信息,并根据所述属性设置信息来设置所述鉴权装置的运营商属性。In this embodiment, the second sending unit 303 may invoke an interface in the server for communicating with the mobile terminal, and send the session key and the attribute setting information encrypted by the session key to the mobile terminal, so that the The authentication device obtains the attribute setting information by decrypting, and sets an operator attribute of the authentication device according to the attribute setting information.
在本实施例中,该属性设置信息例如可以被预先存储在该服务器的数据库中,并且,该中心控制装置可以通过调用对该数据库进行访问的接口,来得到该属性设置信息,并使用该会话密钥对该属性设置信息进行加密。In this embodiment, the attribute setting information may be pre-stored in a database of the server, for example, and the central control device may obtain the attribute setting information by calling an interface that accesses the database, and use the session. The key encrypts the attribute setting information.
在本实施例中,该中心控制装置300还可以具备管理单元304,其用于对所述属性设置信息进行管理。在一个具体的实施方式中,该管理单元304可以用于根据网络运营商的数据,更新存储于该服务器的属性设置信息,例如,当用户对手机号码进行挂失时,网络运营商的数据库中可以将数据库中与该手机号码相关的信息进行清除或变更,此时,该中心控制装置通过为网络运营商提供的接口,获得了网络运营商的数 据更新信息,进而,该管理单元304根据网络运营商的数据更新信息,对存储于服务器的对应的该属性设置信息进行清除或变更等更新处理。In this embodiment, the central control device 300 may further include a management unit 304 for managing the attribute setting information. In a specific implementation, the management unit 304 may be configured to update the attribute setting information stored in the server according to the data of the network operator, for example, when the user reports the mobile phone number, the network operator may The information related to the mobile phone number in the database is cleared or changed. At this time, the central control device obtains the number of network operators through the interface provided for the network operator. According to the update information, the management unit 304 further performs update processing such as clearing or changing the attribute setting information stored in the server based on the data update information of the network operator.
此外,在本实施例中,该中心控制装置300还可以具有网络银行支付接口(未图示)。在该移动终端进行网络银行支付时,该网络银行支付接口可以用于该服务器与网络银行之间的认证接口。Further, in the present embodiment, the center control device 300 may further have an internet banking payment interface (not shown). When the mobile terminal performs online banking payment, the network banking payment interface can be used for an authentication interface between the server and the network bank.
根据本实施例,中心服务器可以以加密的方式对鉴权装置下发属性设置信息,由此,该鉴权装置能够以安全的方式获得属性设置信息,并设置自身的运营商属性,以使移动终端在该运营商属性对应的网络运营商提供的网络中通信。According to the embodiment, the central server can issue the attribute setting information to the authentication device in an encrypted manner, whereby the authentication device can obtain the attribute setting information in a secure manner and set its own carrier attribute to make the mobile The terminal communicates in a network provided by a network operator corresponding to the carrier attribute.
实施例4Example 4
本申请实施例4提供一种通信系统,由实施例1的通信控制装置100,实施例2的鉴权装置200,以及实施例3的中心控制装置组成,关于该系统各组成装置的具体说明,可以参考实施1-实施例3,本实施例不再重复说明。Embodiment 4 of the present application provides a communication system, which is composed of the communication control device 100 of Embodiment 1, the authentication device 200 of Embodiment 2, and the central control device of Embodiment 3, and a detailed description of each component device of the system, Reference may be made to Embodiment 1 to Embodiment 3, and the description is not repeated in this embodiment.
图4是根据本实施例的通信系统为鉴权装置设置运营商属性的一个流程图。如图4所示,该流程包括:4 is a flow chart of setting a carrier attribute for an authentication device according to the present embodiment. As shown in Figure 4, the process includes:
S1,启动该通信控制装置100,并获取鉴权装置的识别信息(例如ICCID等)和IMSI是否被设置的信息;S1, starting the communication control device 100, and acquiring identification information (for example, ICCID, etc.) of the authentication device and information on whether the IMSI is set;
S2,如果判断为IMSI没有被设置,说明此鉴权装置没有被开通,进而,在接收到用户发送的开通该鉴权装置的指令后,该通信控制装置100向中心控制装置300发送识别信息(例如ICCID等);S2, if it is determined that the IMSI is not set, the authentication device is not turned on, and further, after receiving the instruction sent by the user to activate the authentication device, the communication control device 100 transmits the identification information to the central control device 300 ( Such as ICCID, etc.);
S3,中心控制装置根据识别信息(例如ICCID等)和加密信息进行身份认证,在认证成功的情况下,建立会话密钥,并使用会话密钥对IMSI和Ki进行加密;S3. The central control device performs identity authentication according to the identification information (for example, ICCID, etc.) and the encrypted information. When the authentication is successful, the session key is established, and the IMSI and the Ki are encrypted by using the session key.
S4,将会话密钥和加密的IMSI和Ki发送给通信控制装置100;S4, the session key and the encrypted IMSI and Ki are sent to the communication control device 100;
S5,通信控制装置100将会话密钥和加密的IMSI和Ki发送给鉴权装置200;S5, the communication control device 100 sends the session key and the encrypted IMSI and Ki to the authentication device 200;
S6,鉴权装置200根据会话密钥和解密算法进行解密,以得到服务器下发的IMSI和Ki;S6, the authentication device 200 decrypts according to the session key and the decryption algorithm to obtain the IMSI and Ki delivered by the server;
S7,鉴权装置200根据服务器下发的IMSI和Ki,设置该鉴权装置200中的IMSI和Ki;S7, the authentication device 200 sets the IMSI and Ki in the authentication device 200 according to the IMSI and Ki delivered by the server;
S8,鉴权装置200向通信控制装置100发送成功设置IMSI和Ki的通知信息。 S8, the authentication device 200 transmits the notification information for successfully setting the IMSI and Ki to the communication control device 100.
根据图4的S1-S8能够为鉴权装置200设置运营商属性,即,对该鉴权装置进行写卡操作。According to S1-S8 of FIG. 4, an operator attribute can be set for the authentication device 200, that is, a card writing operation is performed on the authentication device.
此外,在本实施例中,还可以通过该通信控制装置,来控制该鉴权装置删除运营商属性,即,对鉴权装置进行清卡操作。In addition, in this embodiment, the authentication device may also be controlled by the communication control device to delete the operator attribute, that is, perform a card clearing operation on the authentication device.
此外,在本实施例中,当在上述步骤S2中判断为鉴权装置200的IMSI已经被设置的情况下,该通信控制装置100可以控制鉴权装置对IMSI和Ki进行选择,以使移动装置切换到与该选择的IMSI和Ki对应的运营商所提供的网络并进行通信。Further, in the present embodiment, when it is determined in the above step S2 that the IMSI of the authentication apparatus 200 has been set, the communication control apparatus 100 can control the authentication apparatus to select the IMSI and Ki to make the mobile apparatus Switching to and communicating with the network provided by the operator corresponding to the selected IMSI and Ki.
此外,在本实施例中,该中心控制装置300的管理单元304,可以根据网络运营商的数据,更新存储于该服务器的属性设置信息,由此,可以对遗失的鉴权装置停止提供服务,即,对鉴权装置进行卡挂失。In addition, in this embodiment, the management unit 304 of the central control device 300 can update the attribute setting information stored in the server according to the data of the network operator, thereby stopping the providing of the service to the lost authentication device. That is, the authentication device is lost.
此外,在本实施例中,还可以通过通信控制装置100的网络银行支付单元和中心控制装置300还可以具有网络银行支付接口实现网络银行支付的功能。In addition, in the embodiment, the network bank payment unit and the central control device 300 of the communication control device 100 can also have a network bank payment interface to implement the function of the network bank payment.
根据本实施例,能够有效减少传统的写卡及入网的中间环节和限制条件,能够方便地进行写卡、清卡和网络切换等功能,提高了用户的自主选择权。According to the embodiment, the intermediate links and restrictions of the conventional write card and the network access can be effectively reduced, and functions such as writing a card, clearing the card, and switching the network can be conveniently performed, thereby improving the user's autonomy.
本申请以上的装置可以由硬件实现,也可以由硬件结合软件实现。本申请涉及这样的计算机可读程序,当该程序被逻辑部件所执行时,能够使该逻辑部件实现上文所述的装置或构成部件,或使该逻辑部件实现上文所述的各种方法或步骤。本申请还涉及用于存储以上程序的存储介质,如硬盘、磁盘、光盘、DVD、flash存储器等。The above device of the present application may be implemented by hardware or by hardware combined with software. The present application relates to a computer readable program that, when executed by a logic component, enables the logic component to implement the apparatus or components described above, or to implement the various methods described above Or steps. The application also relates to a storage medium for storing the above program, such as a hard disk, a magnetic disk, an optical disk, a DVD, a flash memory, or the like.
以上结合具体的实施方式对本申请进行了描述,但本领域技术人员应该清楚,这些描述都是示例性的,并不是对本申请保护范围的限制。本领域技术人员可以根据本申请的精神和原理对本申请做出各种变型和修改,这些变型和修改也在本申请的范围内。 The present invention has been described in connection with the specific embodiments thereof, but it is to be understood that the description is intended to be illustrative and not restrictive. Various modifications and alterations of the present application are possible in light of the spirit and scope of the invention, which are also within the scope of the present application.

Claims (10)

  1. 一种通信控制装置,对设置于移动终端的用于进行移动用户身份鉴权的鉴权装置进行控制,以使所述移动终端选择不同运营商网络进行通信,所述通信控制装置设置于所述移动终端,并且,该通信控制装置具有:A communication control device controls an authentication device for performing mobile user identity authentication on a mobile terminal, so that the mobile terminal selects a different carrier network for communication, and the communication control device is configured to be a mobile terminal, and the communication control device has:
    第一获取单元,其用于获取所述鉴权装置的识别信息;a first obtaining unit, configured to acquire identification information of the authentication device;
    第一认证单元,其用于将所述识别信息发送给服务器,以便所述服务器对所述鉴权装置进行身份认证;a first authentication unit, configured to send the identification information to a server, so that the server performs identity authentication on the authentication device;
    第二获取单元,其在所述服务器进行身份认证成功的情况下,获取来自服务器的会话密钥,以及经所述会话密钥加密的属性设置信息;以及a second obtaining unit, configured to acquire a session key from the server and attribute setting information encrypted by the session key, if the server performs identity authentication successfully;
    第一发送单元,其用于将所述会话密钥和所述加密的属性设置信息发送给所述鉴权装置,以便所述鉴权装置通过解密得到所述属性设置信息,并根据所述属性设置信息来设置所述鉴权装置的运营商属性,a first sending unit, configured to send the session key and the encrypted attribute setting information to the authentication device, so that the authentication device obtains the attribute setting information by decrypting, and according to the attribute Setting information to set an operator attribute of the authentication device,
    其中,所述属性设置信息至少具有国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)和鉴权密钥(Key identifier,Ki),The attribute setting information has at least an International Mobile Subscriber Identification Number (IMSI) and an authentication key (Key identifier, Ki).
    所述通信控制装置通过连接到互联网,与所述服务器进行数据交换。The communication control device performs data exchange with the server by connecting to the Internet.
  2. 如权利要求1所述的通信控制装置,其中,The communication control device according to claim 1, wherein
    所述通信控制装置设置于所述移动终端。The communication control device is disposed at the mobile terminal.
  3. 如权利要求1所述的通信控制装置,其中,所述通信控制装置还具有:The communication control device according to claim 1, wherein said communication control device further has:
    切换控制单元,其用于接收所述鉴权装置成功设置所述运营商属性的通知,并且,在所述运营商属性为两个以上的情况下,根据接收到的切换指令对运营商属性进行选择,以使所述移动终端切换到与所选择的运营商属性对应的网络中进行通信。a handover control unit, configured to receive a notification that the authentication device successfully sets the operator attribute, and, if the carrier attribute is two or more, perform carrier attribute according to the received handover instruction Selecting to cause the mobile terminal to switch to communicate with a network corresponding to the selected carrier attribute.
  4. 如权利要求1所述的通信控制装置,其中,所述通信控制装置还具有:The communication control device according to claim 1, wherein said communication control device further has:
    删除控制单元,其用于根据接收到的删除指令控制所述鉴权装置删除所述运营商属性。And a deletion control unit, configured to control the authentication device to delete the operator attribute according to the received deletion instruction.
  5. 一种鉴权装置,设置于移动终端,用于进行移动用户身份鉴权,以使所述移动终端在网络中通信,该鉴权装置具有:An authentication device is disposed on the mobile terminal, configured to perform mobile user identity authentication, so that the mobile terminal communicates in a network, the authentication device has:
    第三获取单元,其与设置于所述移动终端的通信控制装置通信,以接收所述通信控制装置所获取的服务器下发的会话密钥,以及经所述会话密钥加密的属性设置信 息;a third acquiring unit, configured to communicate with a communication control device provided in the mobile terminal, to receive a session key sent by the server acquired by the communication control device, and an attribute setting letter encrypted by the session key interest;
    解密单元,其用于根据解密算法和所述会话密钥,对经所述会话密钥加密的属性设置信息进行解密,以得到所述属性设置信息;a decryption unit, configured to decrypt the attribute setting information encrypted by the session key according to the decryption algorithm and the session key, to obtain the attribute setting information;
    设置单元,其用于根据所述属性设置信息来设置所述鉴权装置的运营商属性,a setting unit configured to set an operator attribute of the authentication device according to the attribute setting information,
    其中,所述属性设置信息至少具有国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)和鉴权密钥(Key identifier,Ki),The attribute setting information has at least an International Mobile Subscriber Identification Number (IMSI) and an authentication key (Key identifier, Ki).
    所述通信控制装置通过连接到互联网,与所述服务器进行数据交换。The communication control device performs data exchange with the server by connecting to the Internet.
  6. 如权利要求5所述的鉴权装置,其中,所述鉴权装置还具有:The authentication device of claim 5, wherein the authentication device further has:
    存储单元,其存储所述属性设置信息、加密算法和所述解密算法。a storage unit that stores the attribute setting information, an encryption algorithm, and the decryption algorithm.
  7. 如权利要求5所述的鉴权装置,其中,所述鉴权装置还具有:The authentication device of claim 5, wherein the authentication device further has:
    通知单元,其在所述设置单元成功设置所述运营商属性之后,发送通知信息。a notification unit that transmits notification information after the setting unit successfully sets the operator attribute.
  8. 如权利要求5所述的鉴权装置,其中,The authentication device according to claim 5, wherein
    所述鉴权装置是客户识别模块(Subscriber Identity Module,SIM)卡、与所述客户识别模块卡贴合的芯片、或者与所述客户识别模块卡具有同等功能的内置于所述移动终端的装置。The authentication device is a Subscriber Identity Module (SIM) card, a chip attached to the customer identification module card, or a device built in the mobile terminal having the same function as the customer identification module card. .
  9. 一种中心控制装置,设置于服务器,所述中心控制装置具有:A central control device is disposed at a server, and the central control device has:
    第一接收单元,其与设置于移动终端的通信控制装置通信,从而接收设置于移动终端的用于进行移动用户身份鉴权的鉴权装置的识别信息;a first receiving unit that communicates with a communication control device provided in the mobile terminal, thereby receiving identification information of the authentication device for performing mobile user identity authentication provided on the mobile terminal;
    第二认证单元,其用于根据所述识别信息和加密信息,对所述鉴权装置进行身份认证,并且在认证成功的情况下建立会话密钥;以及a second authentication unit, configured to perform identity authentication on the authentication device according to the identification information and the encryption information, and establish a session key if the authentication is successful;
    第二发送单元,其用于向设置于所述移动终端的所述通信控制装置发送所述会话密钥和经所述会话密钥加密的属性设置信息,以便所述通信控制装置将所述会话密钥和所述加密的属性设置信息发送给所述鉴权装置,并由所述鉴权装置通过解密得到所述属性设置信息,并根据所述属性设置信息来设置所述鉴权装置的运营商属性,a second transmitting unit, configured to send the session key and attribute setting information encrypted by the session key to the communication control apparatus provided to the mobile terminal, so that the communication control apparatus sets the session The key and the encrypted attribute setting information are sent to the authentication device, and the attribute setting information is obtained by the authentication device by decryption, and the operation of the authentication device is set according to the attribute setting information. Business attribute,
    其中,所述属性设置信息至少具有国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)和鉴权密钥(Key identifier,Ki),The attribute setting information has at least an International Mobile Subscriber Identification Number (IMSI) and an authentication key (Key identifier, Ki).
    所述通信控制装置通过连接到互联网,与所述服务器进行数据交换。The communication control device performs data exchange with the server by connecting to the Internet.
  10. 如权利要求9所述的中心控制装置,其中,该中心控制装置还具有:The center control device according to claim 9, wherein the center control device further has:
    管理单元,其用于对所述属性设置信息进行管理。 A management unit for managing the attribute setting information.
PCT/CN2015/097559 2014-12-30 2015-12-16 Communication control device, authentication device, central control device, and communication system WO2016107410A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410838428.3 2014-12-30
CN201410838428.3A CN104519480B (en) 2014-12-30 2014-12-30 Communication control unit, authentication device, central controller and communication system

Publications (1)

Publication Number Publication Date
WO2016107410A1 true WO2016107410A1 (en) 2016-07-07

Family

ID=52794088

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/097559 WO2016107410A1 (en) 2014-12-30 2015-12-16 Communication control device, authentication device, central control device, and communication system

Country Status (13)

Country Link
US (1) US9723549B2 (en)
EP (1) EP3041189A1 (en)
JP (1) JP2016127598A (en)
KR (1) KR101727414B1 (en)
CN (1) CN104519480B (en)
AU (1) AU2015261578B2 (en)
CA (1) CA2913456C (en)
HK (1) HK1207233A1 (en)
MY (1) MY175039A (en)
RU (1) RU2636679C2 (en)
SG (1) SG10201509653XA (en)
TW (1) TW201625029A (en)
WO (1) WO2016107410A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9723549B2 (en) 2014-12-30 2017-08-01 Youyoubao (Tianjin) Network Technology Co., Ltd. Communication control apparatus, authentication device, central control apparatus and communication system

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106162522B (en) * 2016-03-04 2017-11-24 悠游宝(天津)网络科技有限公司 Communication control unit and central controller for general configurable authentication device
CN106102035A (en) * 2016-05-25 2016-11-09 南京酷派软件技术有限公司 The changing method of embedded user identification card, device, terminal and server
CN107659926A (en) * 2016-07-25 2018-02-02 中兴通讯股份有限公司 SIM card information transmission method and device
US10757569B2 (en) * 2016-08-05 2020-08-25 Nokia Technologies Oy Privacy preserving authentication and key agreement protocol for apparatus-to-apparatus communication
JP6408536B2 (en) * 2016-11-17 2018-10-17 Kddi株式会社 COMMUNICATION SYSTEM, COMMUNICATION DEVICE, SERVER DEVICE, COMMUNICATION METHOD, AND COMPUTER PROGRAM
US11082212B2 (en) 2017-12-26 2021-08-03 Industrial Technology Research Institute System and method for communication service verification, and verification server thereof
CN109819434A (en) * 2019-01-11 2019-05-28 深圳市斯凯荣科技有限公司 A kind of card cell system and control method based on eSIM
CN110636501B (en) * 2019-09-20 2023-04-07 北京芯盾集团有限公司 Mobile position information hiding method and system
CN110708739B (en) * 2019-10-21 2022-05-13 中国联合网络通信集团有限公司 Network connection method, device and system
US11197154B2 (en) 2019-12-02 2021-12-07 At&T Intellectual Property I, L.P. Secure provisioning for wireless local area network technologies
CN112055351B (en) * 2020-09-11 2023-04-07 太思隆达科技(北京)有限公司 Data updating method and device for thin smart card
CN114267123B (en) * 2021-12-15 2023-08-04 新奥(中国)燃气投资有限公司 Intelligent NFC card for gas meter and communication processing method thereof
US20230388280A1 (en) * 2022-05-25 2023-11-30 CybXSecurity LLC System, Method, and Computer Program Product for Generating Secure Messages for Messaging

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006095216A1 (en) * 2005-03-11 2006-09-14 N-Tel Communications Limited Communications method and system
CN102711096A (en) * 2012-05-30 2012-10-03 中国联合网络通信集团有限公司 Method, device and terminal for card personalization over the air
CN103716781A (en) * 2013-12-27 2014-04-09 北京大唐智能卡技术有限公司 Card writing method, device and system for mobile terminal intelligent card
US20140148162A1 (en) * 2011-05-23 2014-05-29 Gigsky, Inc. GLOBAL e-MARKETPLACE FOR MOBILE SERVICES
CN104519480A (en) * 2014-12-30 2015-04-15 悠游宝(天津)网络科技有限公司 Communication control device, authentication device, center control device and communication system
CN105101163A (en) * 2015-07-22 2015-11-25 联通兴业通信技术有限公司 Method and apparatus for card personalization over air

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2879867A1 (en) * 2004-12-22 2006-06-23 Gemplus Sa CHIP CARD ALLOCATION SYSTEM TO A NETWORK OPERATOR
WO2007094624A1 (en) * 2006-02-17 2007-08-23 Ktfreetel Co., Ltd. Ic card, terminal with ic card and initializing method thereof
CN101222723B (en) * 2008-01-31 2012-05-30 熊文俊 Virtual SIM card multi-number single/double module mobile phone, its implementing method and system
CN101222712B (en) * 2008-02-02 2010-09-08 代邦(江西)制卡有限公司 Mobile terminal supporting virtual SIM card and its user identity authentication method
CN101222713A (en) 2008-02-04 2008-07-16 深圳华为通信技术有限公司 Electricity output control method, device and terminal
US9009796B2 (en) * 2010-11-18 2015-04-14 The Boeing Company Spot beam based authentication
US8195234B2 (en) * 2008-09-22 2012-06-05 Mediatek Inc. Methods for sharing mobility status between subscriber identity cards and systems utilizing the same
KR20100068692A (en) 2008-12-15 2010-06-24 주식회사 케이티 System and method for providing service using imsi(international mobile subscriber identity)
WO2011115407A2 (en) * 2010-03-15 2011-09-22 Samsung Electronics Co., Ltd. Method and system for secured remote provisioning of a universal integrated circuit card of a user equipment
US9100810B2 (en) * 2010-10-28 2015-08-04 Apple Inc. Management systems for multiple access control entities
US8555067B2 (en) 2010-10-28 2013-10-08 Apple Inc. Methods and apparatus for delivering electronic identification components over a wireless network
US9407616B2 (en) * 2011-04-27 2016-08-02 Telefonaktiebolaget Lm Ericsson (Publ) Authenticating a device in a network
KR101937487B1 (en) 2011-06-22 2019-01-11 주식회사 케이티 User Equipment with Embedded UICC, Activating Method of User Equipment, Terminating Method of User Equipment, User Equipment Managing Server, User Equipment Ordering Method of User Equipment Managing Server, and User Equipment Activating Method of User Equipment Managing Server
KR102001869B1 (en) * 2011-09-05 2019-07-19 주식회사 케이티 Method and Apparatus for managing Profile of Embedded UICC, Provisioning Method and MNO-Changing Method using the same
CN102523578B (en) * 2011-12-09 2015-02-25 北京握奇数据系统有限公司 Over-the-air card writing method, apparatus and system
CN102769850B (en) 2012-04-16 2015-10-28 中兴通讯股份有限公司 Single-card multi-mode multi-operator authentication method and device
ES2647088T3 (en) * 2012-12-21 2017-12-19 Giesecke+Devrient Mobile Security Gmbh Procedures and devices for OTA subscription management
KR102138315B1 (en) * 2013-05-30 2020-07-27 삼성전자주식회사 Method and Apparatus for Provisioning Profile
US9537659B2 (en) * 2013-08-30 2017-01-03 Verizon Patent And Licensing Inc. Authenticating a user device to access services based on a device ID

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006095216A1 (en) * 2005-03-11 2006-09-14 N-Tel Communications Limited Communications method and system
US20140148162A1 (en) * 2011-05-23 2014-05-29 Gigsky, Inc. GLOBAL e-MARKETPLACE FOR MOBILE SERVICES
CN102711096A (en) * 2012-05-30 2012-10-03 中国联合网络通信集团有限公司 Method, device and terminal for card personalization over the air
CN103716781A (en) * 2013-12-27 2014-04-09 北京大唐智能卡技术有限公司 Card writing method, device and system for mobile terminal intelligent card
CN104519480A (en) * 2014-12-30 2015-04-15 悠游宝(天津)网络科技有限公司 Communication control device, authentication device, center control device and communication system
CN105101163A (en) * 2015-07-22 2015-11-25 联通兴业通信技术有限公司 Method and apparatus for card personalization over air

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9723549B2 (en) 2014-12-30 2017-08-01 Youyoubao (Tianjin) Network Technology Co., Ltd. Communication control apparatus, authentication device, central control apparatus and communication system

Also Published As

Publication number Publication date
HK1207233A1 (en) 2016-01-22
RU2636679C2 (en) 2017-11-27
CN104519480B (en) 2016-02-17
AU2015261578A1 (en) 2016-07-14
JP2016127598A (en) 2016-07-11
MY175039A (en) 2020-06-03
TW201625029A (en) 2016-07-01
US20160192287A1 (en) 2016-06-30
CA2913456C (en) 2017-07-04
TWI563858B (en) 2016-12-21
SG10201509653XA (en) 2016-07-28
RU2015153111A (en) 2017-06-16
AU2015261578B2 (en) 2017-03-09
US9723549B2 (en) 2017-08-01
CA2913456A1 (en) 2016-06-30
KR101727414B1 (en) 2017-04-14
CN104519480A (en) 2015-04-15
KR20160081798A (en) 2016-07-08
EP3041189A1 (en) 2016-07-06

Similar Documents

Publication Publication Date Title
WO2016107410A1 (en) Communication control device, authentication device, central control device, and communication system
CN106161359B (en) It authenticates the method and device of user, register the method and device of wearable device
JP2021036453A (en) System and method for initially establishing and periodically confirming trust in software application
JP5688458B2 (en) System and method for securely using multiple subscriber profiles in security components and portable communication devices
US8196188B2 (en) Systems and methods for providing network credentials
US9445262B2 (en) Authentication server, mobile terminal and method for issuing radio frequency card key using authentication server and mobile terminal
CN104093139B (en) Air card-writing method, server and smart card
US8191124B2 (en) Systems and methods for acquiring network credentials
CN104363250B (en) A kind of method and system for equipment connection
US10009760B2 (en) Providing network credentials
US20140140507A1 (en) Method for changing mno in embedded sim on basis of dynamic key generation and embedded sim and recording medium therefor
KR20160101581A (en) Method for transferring profile and electronic device supporting thereof
US8990960B2 (en) Method for near field communication operation, a device and a system thereto
CN107979835B (en) eSIM card and management method thereof
CN104205891A (en) Virtual sim card cloud platform
KR20120046376A (en) System and method for providing payment means management sertvice, apparatus and device for payment means management service
JP2010503319A (en) System and method for obtaining network credentials
US9992196B2 (en) Information processing device, wireless communication system, information processing method, and program
KR101604927B1 (en) Automatic connection ststem and method using near field communication
KR101365889B1 (en) Control method of connecting to mobile-network for smart phone, the system and the computer readable medium able running the program thereof
CN105635096A (en) Data module access method, system and terminal
US20230033931A1 (en) Method, ledger and system for establishing a secure connection from a chip to a network and corresponding network
WO2024175747A1 (en) Virtual subscriber identity module distribution
EP3267651A1 (en) Method, device and system for storing securely data
KR20200130044A (en) Apparatus and methods for managing and verifying digital certificates

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15875088

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15875088

Country of ref document: EP

Kind code of ref document: A1